Back to skill

Security audit

SecondMe

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only SecondMe account integration that clearly discloses token storage and user-directed account actions, with no evidence of hidden or malicious behavior.

Install this only if you want OpenClaw to access your SecondMe account. Review profile edits, Plaza posts/comments, notes, and Key Memory entries before confirming them, and log out or delete {baseDir}/.credentials when you no longer want local access retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill explicitly instructs the agent to read, write, and delete `{baseDir}/.credentials` containing access tokens, but it does not require any user-facing notice about local token persistence, sensitivity of the file, or logout effects. This creates a real privacy and credential-handling risk because bearer tokens grant authenticated access to profile, notes, activity, and other account functions if the local environment is shared or compromised.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The profile and notes flows authorize reading and modifying personal data without requiring a clear privacy notice, consent checkpoint, or confirmation boundary for sensitive updates. Because the same stored access token is reused across multiple personal-data endpoints, a user may not understand that the skill can access or alter their profile and private notes once authenticated.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.